RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel

From: joe (
Date: 01/18/04

  • Next message: Piotr |-|4w4+ Kostrzewa: "[Full-Disclosure] Re: Anti-MS drivel"
    To: "'[Full Disclosure]'" <>
    Date: Sun, 18 Jan 2004 17:52:43 -0500

    I would be curious what exactly you and your customers are doing with your
    Active Directory implementations. I have been running a 250k user global
    multiple domain AD environement consisting of 9 domains across some 400
    domain controllers for 3 years come April without the issues you seem to
    imply are common place for you. Not one restore from backup ever. Our AD has
    the crap beat out of it daily and supports Win9x-WinXP/2K3 as well as
    UNIX/LINUX Kerberos Clients, OS/2, UNIX/LINUX LDAP Clients, Linux, Samba on
    every known flavor of UNIX/LINUX and even Digital Equipment Systems,
    PeopleSoft, etc. We process tens if not hundreds of millions of
    authentications a day across the world. Probably a good 60-70k security
    groups and several hundred thousand computer objects.

    I don't know the size of implementations you have been playing with but I
    would certainly consider my environment Enterprise Level. Any database
    corruption we have ever gotten has been due to complete disk subsystem
    failures and the directory stops replicating to protect itself. We fix the
    disk subsystem failure, reload the machine, repromote, and it is up and
    happy again. We don't really need the reload most of the time probably but
    once I blow a disk system I don't trust the machine until it has been
    scrubbed and reloaded. Obviously if it is a simple RAID disk blown out we
    don't even think twice about that, just throw in another disk and keep going
    on our merry way.

    Is it perfect? No? Have I had problems? Absolutely. I probably have hit more
    real non-self generated issues than a vast majority of the people who have
    or ever will use it simply due to the size and the distributed nature of
    what I run and probably have at least 30+ KB's generated based on what I
    have found and I don't know how many hot fixes and code flow changes are due
    to my experiences and riding MS for the changes. There is certainly room for
    improvement and there always will be. W2K AD was a good first swipe, W2K3 AD
    is better, I expect the next rev to be better yet. That is how it works.

    The biggest problem to the masses with AD is that it isn't the quick plug
    and play environment that the NT4 domain structure was. MS got everyone so
    trained into the idea that some brain dead individual could take a couple of
    simple tests, call themselves an MCSE, and be a big bad network admin that
    it turned around and bit companies firing up AD as they found out MCSE
    didn't mean someone knew what the hell they were talking about.
    Unfortunately for just about all of the Windows Admins/Consultants out there
    one actually has to understand AD a little. Knowing NT4 Domains or Windows
    2000 Servers doesn't make anyone an Active Directory Admin or consultant
    though some will still claim it is so. Most Windows admins and consultants
    don't have that knowledge and shouldn't be playing with it in production
    environments without an adult present. Getting it to run on a home PC isn't
    practical experience.

    As for a poor revisit, I have a Banyan friend who used to go off on NDS just
    like you are going off on AD. I have people at work who bitch about leaving
    various X.500 implementations running on Big Iron.

    I guess what I am saying is that any system will run like shit if
    misconfigured. Just like any system will be insecure if misconfigured.

    You want to beat on a MS product that absolutely deserves to be beat on,
    beat on Exchange 2000/2003. Now there is a product that defies any logic and
    configuration skills and truly isn't how an Enterprise class product should


    -----Original Message-----
    [] On Behalf Of Curt Purdy
    Sent: Sunday, January 18, 2004 4:06 PM
    To: 'yossarian'; '[Full Disclosure]'
    Subject: RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel

    And a poor revisit at that. I have had ADS crash and burn at two customers
    in the last year (unfortunately no backup domain controllers - no we did not
    set them up). Check out MS's knowledge base article on repairing ADS. It
    is like a 50 page article that basically ends with "Re-install and restore
    from tape and synch with other controllers". I have NEVER seen that happen
    with DNS in all the years I've worked with Netware.

    Also have seen ADS get all confused more than once in multiple domain sites
    requiring either finding the server with the least corruption and making it
    authoritative, or restoring from a known good backup. No way to run an
    enterprise. Again, whenever a problem has shown up in NDS, a simple
    DSREPAIR has always fixed everything, without fail.

    Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP


    If you spend more on coffee than on IT security, you will be hacked.
    What's more, you deserve to be hacked.
    -- White House cybersecurity adviser Richard Clarke

    Full-Disclosure - We believe in it.

    Full-Disclosure - We believe in it.

  • Next message: Piotr |-|4w4+ Kostrzewa: "[Full-Disclosure] Re: Anti-MS drivel"